JWT Decoder Online

Instantly decode any JWT token - see the header, payload, and signature breakdown. Free, private, no signup required.

What is a JWT Token?

A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519. It is the most widely used authentication format in modern web applications, REST APIs, and microservices. Every JWT consists of three base64url-encoded parts separated by dots:

Example: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIn0.signature

How to Decode a JWT Token Online

  1. Copy your JWT token (from browser DevTools, Postman, or your app)
  2. Click "Open JWT Decoder" above
  3. Paste the token into the input field
  4. The header, payload, and signature are instantly decoded
  5. Inspect claims like exp, iat, sub, roles

Common JWT Claims Explained

Claim Meaning Example
subSubject (user ID)"user_123"
iatIssued at (Unix timestamp)1709000000
expExpiration time1709086400
issIssuer (who created it)"api.myapp.com"
audAudience (intended recipient)"myapp.com"

JWT Security Best Practices

Frequently Asked Questions

What is a JWT?+
A JWT (JSON Web Token) is a compact, URL-safe string used to securely transmit information between parties. It has three parts separated by dots: a Base64Url-encoded header, a Base64Url-encoded payload, and a signature. JWTs are commonly used for authentication in web applications.
Is it safe to decode a JWT online?+
The payload of a JWT is Base64Url encoded, not encrypted — anyone with the token can decode it. Decoding is safe since it doesn't require the secret key. However, never paste production JWTs containing sensitive user data into online tools. Use test tokens for debugging.
Can this tool verify the JWT signature?+
The decoder shows the decoded header and payload instantly. Signature verification requires the secret key (for HMAC) or public key (for RSA/ECDSA). The tool can check if the token is expired by reading the exp claim, but cannot cryptographically verify the signature without the key.
What does exp mean in a JWT?+
The exp (expiration time) claim is a Unix timestamp indicating when the token expires. The iat (issued at) claim shows when it was created. The nbf (not before) claim indicates the earliest time the token is valid. Our decoder converts all three to human-readable dates.
What signing algorithms do JWTs use?+
The most common JWT algorithms are: HS256/HS384/HS512 (HMAC with SHA), RS256/RS384/RS512 (RSA with SHA), ES256/ES384/ES512 (ECDSA), and PS256/PS384/PS512 (RSASSA-PSS). The algorithm is declared in the JWT header's alg field.
How do I create a JWT?+
JWTs are generated server-side using a library: jsonwebtoken (Node.js), PyJWT (Python), or java-jwt (Java). You define the payload claims, choose an algorithm, sign with your secret or private key, and the library produces the encoded token string.

Ready to decode your JWT?

Free, instant, 100% private. No account needed.

Also useful: JSON Tutorials & Guides | FAQ | JSON Validator | JSON to TypeScript

JWT Structure Explained

A JWT consists of three base64url-encoded parts separated by dots: header, payload, and signature. Here is a real example broken down:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwMDM2MDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded:

// Header (algorithm & token type)
{
  "alg": "HS256",
  "typ": "JWT"
}

// Payload (claims)
{
  "sub": "1234567890",
  "name": "Alice",
  "iat": 1700000000,
  "exp": 1700003600
}

// Signature = HMACSHA256(base64(header) + "." + base64(payload), secret)

The header and payload are only base64url-encoded — they are not encrypted. Anyone who holds the token can decode and read the claims. The signature is the only part that provides authenticity; it uses a secret or private key and cannot be forged without it.

JWT Claims Reference

The JWT specification (RFC 7519) defines a set of standard registered claim names. All are optional but widely supported by libraries and frameworks:

Claim Full Name Type Description
iss Issuer string Identifies who issued the JWT (e.g., your auth server URL)
sub Subject string Identifies the principal (typically user ID)
aud Audience string/array Identifies the intended recipient(s)
exp Expiration number Unix timestamp after which the token is rejected
nbf Not Before number Unix timestamp before which the token is rejected
iat Issued At number Unix timestamp when the token was issued
jti JWT ID string Unique identifier for this token (prevents replay attacks)

JWT Security Best Practices

Implementing JWT correctly requires more than just decoding tokens. Follow these six practices to keep your authentication secure:

  • Always verify the signature — never trust an unverified JWT. Decoding the payload without verifying the signature means anyone can forge claims.
  • Set short expiry times — 15 minutes for access tokens, 7 days for refresh tokens. Short-lived tokens limit the damage if a token is stolen.
  • Never store sensitive data in the payload — the payload is base64 encoded, not encrypted. Anyone with the token can read every claim without the secret key.
  • Always validate the aud claim — prevents tokens issued for one service from being accepted by another service in your system.
  • Use asymmetric algorithms (RS256, ES256) for distributed systems — the private key signs tokens, the public key verifies them. Services only need the public key, which cannot forge new tokens.
  • Rotate secrets regularly and invalidate tokens on logout — use a token denylist or keep expiry times short enough that revocation is implicit.

How to Decode a JWT Token Online — Step by Step

A JWT (JSON Web Token) is a Base64URL-encoded string with three dot-separated parts: header.payload.signature. Decoding is always possible without the secret — the signature only protects against tampering, it does not encrypt the payload.

  1. Copy your JWT token (starts with eyJ...)
  2. Paste it into the decoder above
  3. The header, payload claims, and expiry are shown instantly
  4. To verify the signature, enter the secret key (HMAC) or paste the public key (RS256)

JWT Token Structure Decoded

// A JWT token looks like:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNzQyODYwMDAwLCJleHAiOjE3NDI5NDY0MDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

// Header (decoded):
{ "alg": "HS256", "typ": "JWT" }

// Payload (decoded):
{ "sub": "1234567890", "name": "Alice", "iat": 1742860000, "exp": 1742946400 }

// Signature: verifies with the secret key

JWT Signing Algorithms Explained

The alg field in the JWT header defines the signing algorithm. Understanding it is essential for validating tokens correctly:

Algorithm Type Key needed to verify Use case
HS256HMAC-SHA256Shared secretInternal APIs, same-service auth
HS384HMAC-SHA384Shared secretHigher security HMAC variant
RS256RSA-SHA256Public key (asymmetric)OAuth2, OpenID Connect, multi-service
ES256ECDSA-SHA256EC public keyMobile apps, smaller token size
noneUnsignedNone⚠ Insecure — never accept in production

Decode JWT in Code

// JavaScript — decode without verification (read-only)
const [header, payload, sig] = token.split('.');
const decoded = JSON.parse(atob(payload.replace(/-/g,'+').replace(/_/g,'/')));
console.log(decoded); // { sub, name, iat, exp, ... }

// Node.js — verify with jsonwebtoken
const jwt = require('jsonwebtoken');
const data = jwt.verify(token, process.env.JWT_SECRET);

// Python — decode with PyJWT
import jwt
data = jwt.decode(token, SECRET, algorithms=["HS256"])

Also useful: JWT Tutorial | JSON Validator | JSON Schema Validator | Base64 Encoder/Decoder

Related Tools

JWT Tutorial
Learn how JSON Web Tokens work
JSON Security Scanner
Detect sensitive data in JSON
JSON Validator
Validate JSON syntax instantly
JSON Escape / Unescape
Escape special characters in JSON
JSON Stringify / Parse
Stringify and parse JSON in JS